Kaspersky Secure Mobility Management
3.0
English

Contents

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Configuring connection to a Wi-Fi network

This section provides instructions on how to configure automatic connection to a corporate Wi-Fi network on Android and iOS MDM devices.

In this section

Connecting Android devices to a Wi-Fi network

Connecting iOS MDM devices to a Wi-Fi network
Page top
[Topic 142052]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting Android devices to a Wi-Fi network

Expand all | Collapse all

For an Android device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To connect the mobile device to a Wi-Fi network:

  1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Wi-Fi section.
  5. In the Wi-Fi networks section, click Add.

    This opens the Wi-Fi network window.

  6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
  7. Select the Hidden network check box if you want the Wi-Fi network to be hidden in the list of available networks on the device. In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.
  8. Select the Automatic connection to network check box if you want the device to connect to the Wi-Fi network automatically.
  9. In the Network protection section, select the type of Wi-Fi network security (open or secure network protected with the WEP, WPA/WPA2 PSK, or 802.1.x EAP protocol).

    The 802.1.x EAP security protocol is supported only in the Kaspersky Endpoint Security for Android app version 10.48.1.1 or later. The WEP protocol is supported only on Android 9 or earlier.

  10. If you selected the 802.1.x EAP security protocol, specify the following network protection settings:
    • EAP method

      Specifies an Extensible Authentication Protocol (EAP) method of network authentication. Possible values:

      • TLS (default)
      • PEAP
      • TTLS
    • Root certificate

      Specifies the root certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      You can specify a certificate in one of the following ways:

      • Select any available certificate from the drop-down list. It contains certificates previously added to the Root certificates section. On devices, these certificates are installed to a trusted certificate store.
      • Load a new certificate file (.cer, .pem, or .key) by clicking Browse. This certificate will not be added to the Root certificates section. On devices, the certificate will be used only for configuring this Wi-Fi network and will not be installed to a trusted certificate store.
    • Domain

      Specifies the constraint for the server domain name.

      If set, this Fully Qualified Domain Name (FQDN) is used as a suffix match requirement for the root certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met.

      You can specify multiple match strings using semicolons to separate the strings. A match with any of the values is considered a sufficient match for the certificate (i.e., the OR operator is used).

      If you specify *, any root certificate is considered valid. This value is specified by default.

    • User certificate

      Specifies the user certificate to be used by the Wi-Fi network if the TLS EAP method is selected.

      The following values are available in the drop-down list:

      • None - The user certificate is not specified.
      • VPN certificate - The VPN certificate that was last added in the Mobile Device Management > Certificates section of the Kaspersky Security Center Administration Console and was installed on the user device. If you choose this option, but no VPN certificate is installed on the device, the user certificate is not used for this Wi-Fi network.
      • List of SCEP certificate profiles configured in the SCEP and NDES section and used to obtain certificates.
    • Type of two-factor authentication

      Specifies a two-factor authentication type. Possible values:

      • None (default)
      • MSCHAP
      • MSCHAPV2
      • GTC
    • User identity

      Specifies a user ID to be used if the TLS EAP method is selected. You can either enter the value or select it from the Available macros drop-down list.

    • Anonymous identity

      Specifies an anonymous identity that is different from User identity and is used if the PEAP method of network authentication is selected. You can either enter the value or select it from the Available macros drop-down list.

    • Available macros

      A macro that will be used to replace values in the corresponding fields. Possible values:

      • %email%. Specifies the email address of the user to whom the device is registered. The value is retrieved from a mobile certificate.
      • %email_domain%. Specifies the email address domain of the user to whom the device is registered. The value is retrieved from a mobile certificate.
      • %email_user_name%. Specifies the username from the email address to which the device is registered. The value is retrieved from a mobile certificate.
      • %user_name%. Specifies the username under which the device is registered. The value is retrieved from a mobile certificate.
      • %device_id%. Specifies the ID of the device.
      • %group_id%. Specifies the ID of the administration group to which the device belongs to.
      • %device_platform%. Specifies the device platform.
      • %device_model%. Specifies the device model.
      • %os_version%. Specifies the operating system version on the device.
    • Password

      Specifies a password for accessing a wireless network protected using a WEP or WPA2 PSK protocol. The password will be sent in QR code.

  11. In the Password field, set a network access password if you selected a secure network at step 9.
  12. Select the Use proxy server option if you want to use a proxy server to connect to a Wi-Fi network. Otherwise, select the Do not use proxy server option.
  13. If you selected Use proxy server, in the Proxy server address and port field, enter the IP address or DNS name of the proxy server and port number, if necessary.

    On devices running Android version 8.0 or later, settings of the proxy server for Wi-Fi cannot be redefined with the policy. However, you can manually configure the proxy server settings for a Wi-Fi network on the mobile device.

    If you are using a proxy server to connect to a Wi-Fi network, you can use a policy to configure the settings for connecting to the network. On devices running Android 8.0 or later, you must manually configure the proxy server settings. On devices running Android 8.0 or later, you cannot use a policy to change the Wi-Fi network connection settings, except for the network access password.

    If you are not using a proxy server to connect to a Wi-Fi network, there are no limitations on using policies to manage a Wi-Fi network connection.

  14. In the Do not use proxy server for addresses field, generate a list of web addresses that can be accessed without the use of the proxy server.

    For example, you can enter the address example.com. In this case, the proxy server will not be used for the addresses pictures.example.com, example.com/movies, etc. The protocol (for example, http://) can be omitted.

    On devices running Android version 8.0 or later, the proxy server exclusion for web addresses does not work.

  15. Click OK.

    The added Wi-Fi network is displayed in the list of Wi-Fi networks.

    This list contains the names of suggested wireless networks.

    On personal devices running Android 10 or later, the operating system prompts the user to connect to such networks. Suggested networks don't appear on the saved networks list on these devices.

    On devices operating in device owner mode and personal devices running Android 9 or earlier, after synchronizing the device with the Administration Server, the device user can select a suggested wireless network in the saved networks list and connect to it without having to specify any network settings.

    You can modify or delete Wi-Fi networks in the list of networks using the Edit and Delete buttons at the top of the list.

  16. Click the Apply button to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

On devices running Android version 10.0 or later, if a user refuses to connect to the suggested Wi-Fi network, the app's permission to change Wi-Fi state is revoked. The user must grant this permission manually.

Page top
[Topic 90533]

The help for this version of the solution is no longer updated, so it may contain outdated information. For up-to-date information about the solution refer to the Kaspersky Secure Mobility Management 4.1 Help.

Connecting iOS MDM devices to a Wi-Fi network

For an iOS MDM device to automatically connect to an available Wi-Fi network and protect data during the connection, you should configure the connection settings.

To configure the connection of an iOS MDM device to a Wi-Fi network:

  1. In the console tree, in the Managed devices folder, select the administration group to which the iOS MDM devices belong.
  2. In the workspace of the group, select the Policies tab.
  3. Open the policy properties window by double-clicking any column.

    Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

  4. In the policy Properties window, select the Wi-Fi section.
  5. Click the Add button in the Wi-Fi networks section.

    This opens the Wi-Fi network window.

  6. In the Service set identifier (SSID) field, enter the name of the Wi-Fi network that includes the access point (SSID).
  7. If you want the iOS MDM device to connect to the Wi-Fi network automatically, select the Automatic connection check box.
  8. To make it impossible to connect iOS MDM devices to a Wi-Fi network requiring preliminary authentication (captive network), select the Disable captive networks detection check box.

    To use a captive network, you must subscribe, accept an agreement, or make a payment. Captive networks may be deployed in cafes and hotels, for example.

  9. If you want the Wi-Fi network to be hidden in the list of available networks on the iOS MDM device, select the Hidden Network check box.

    In this case, to connect to the network the user needs to manually enter the Service set identifier (SSID) specified in the settings of the Wi-Fi router on the mobile device.

  10. In the Network protection drop-down list, select the type of protection of the Wi-Fi network connection:
    • Disabled. User authentication is not required.
    • WEP. The network is protected using Wireless Encryption Protocol (WEP).
    • WPA/WPA2 (Personal). The network is protected using WPA / WPA2 protocol (Wi-Fi Protected Access).
    • WPA2 (Personal). The network is protected using WPA2 protocol (Wi-Fi Protected Access 2.0). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Personal). The network is protected using the WEP, WPA or WPA2 encryption protocol depending on the type of Wi-Fi router. An encryption key unique to each user is used for authentication.
    • WEP (Dynamic). The network is protected using the WEP protocol with the use of a dynamic key.
    • WPA/WPA2 (Enterprise). The network is protected using the WPA/WPA2 encryption protocol with use of the 802.1X protocol.
    • WPA2 (Enterprise). The network is protected using the WPA2 encryption protocol with the use of one key shared by all users (802.1X). WPA2 protection is available on devices running iOS version 8 or later. WPA2 is not available on Apple TV devices.
    • Any (Enterprise). The network is protected using WEP or WPA / WPA2 protocol depending on the type of Wi-Fi router. One encryption key shared by all users is used for authentication.

    If you have selected WEP (Dynamic), WPA/WPA2 (Enterprise), WPA2 (Enterprise) or Any (Enterprise) in the Network protection list, in the Protocols section you can select the types of EAP protocols (Extensible Authentication Protocol) for user identification on the Wi-Fi network.

    In the Trusted certificates section, you can also create a list of trusted certificates for authentication of the iOS MDM device user on trusted servers.

  11. Configure the settings of the account for user authentication upon connection of the iOS MDM device to the Wi-Fi network:
    1. In the Authentication section, click the Configure button.

      The Authentication window opens.

    2. In the User name field, enter the account name for user authentication upon connection to the Wi-Fi network.
    3. To require the user to enter the password manually upon every connection to the Wi-Fi network, select the Prompt for password at each connection check box.
    4. In the Password field, enter the password of the account for authentication on the Wi-Fi network.
    5. In the Authentication certificate drop-down list, select a certificate for user authentication on the Wi-Fi network. If the list does not contain any certificates, you can add them in the Certificates section.
    6. In the User ID field, enter the user ID displayed during data transmission upon authentication instead of the user's real name.

      The user ID is designed to make the authentication process more secure, as the user name is not displayed openly, but transmitted via an encrypted TLS tunnel.

    7. Click OK.

    As a result, the settings of the account for user authentication upon connection to the Wi-Fi network will be configured on the iOS MDM device.

  12. If necessary, configure the settings of the Wi-Fi network connection via a proxy server:
    1. In the Proxy server section, click the Configure button.
    2. In the Proxy server window that opens, select the proxy server configuration mode and specify the connection settings.
    3. Click OK.

    As a result, the settings of the device connection to the Wi-Fi network via a proxy server are configured on the iOS MDM device.

  13. Click OK.

    The new Wi-Fi network is displayed in the list.

  14. Click the Apply button to save the changes you have made.

As a result, a Wi-Fi network connection will be configured on the user's iOS MDM device once the policy is applied. The user's mobile device will automatically connect to available Wi-Fi networks. Data security during a Wi-Fi network connection is ensured by the authentication technology.

Page top
[Topic 88185]